The European Commission this week warned there will be “no quick fix” to replace the now-invalidated Privacy Shield, which governed data transfers between the European Union and United Sates.
EU Justice Commissioner Didier Reynders told members of the European Parliament (MEPs) on Thursday the “political nature” of the issue would likely hamper progress on a replacement, despite a willingness by officials in both the European Union and United States to resolve the problem quickly.
Reynders said any bid from the European Union for the United States to consider “legislative changes” to the country’s surveillance laws to align them with European expectations of privacy, as well as the timing of the U.S. election in November, are likely to slow progress.
“There will be no quick fix,” Reynders said. “What we need are sustainable solutions that deliver legal certainty, in full compliance with the judgment of the Court [of Justice of the European Union].”
“That is also the message that I have clearly passed to my U.S. counterparts,” he added.
However, on a more positive note, Reynders suggested there is now more common ground from which to seek an alternative solution than there was when the Privacy Shield was negotiated back in 2015.
The CJEU in July also cast doubts on the suitability of standard contractual clauses (SCCs), the most common legal mechanism used by companies to ensure personal data is protected when exported from the European Union to third countries.
EU data protection authorities (DPAs) have since taken varied views as to the extent companies need to check that SCCs remain suitable, leading to concerns that approaches to enforcement are fragmented. The Commission wants a more coordinated response.
Reynders told MEPs on the EU Parliament’s civil liberties committee that the European Commission is seeking to “modernize” SCCs and that a first draft should be available this month. The Commission hopes to launch the adoption process soon and to finalize the updated SCCs by the end of 2020, depending on whether the European Data Protect Board (EDPB) and national DPAs back the changes.
To improve the SCCs, the Commission says they should address transfer scenarios they do not currently cover, such as transfers of data between an EU data processor and a non-EU data processor. The new SCCs should also better reflect the realities of data processing operations in a modern and open economy—for example, by more easily enabling multiple parties to sign SCCs and allow the accession of new parties.
“It’s very important to say that it’s not just possible to use SCCs without any changes,” said Reynders.
Andrea Jelinek, chair of EDPB, the EU’s regulator for the General Date Protection Regulation, told MEPs on the committee the EDPB will now focus on reviewing and updating existing guidance documents that relate to data transfers, as well as prepare additional recommendations to support data controllers and processors on the transfer of personal data from the European Economic Area to third countries.
Separately, as a follow-up to the CJEU’s Privacy Shield (“Schrems II”) ruling and the FAQ it adopted on July 23, the EDPB announced Friday it has created a task force to prepare recommendations to assist controllers and processors with their duty to identify and implement appropriate supplementary measures to ensure adequate protection when transferring data to third countries.